MEDECO NEXGEN cylinder is installed in a specially-designed padlock to secure cargo and other valuables. The lock provides a complete audit trail of all accesses with the Medeco-supplied key. The lock is in the open position.

I will be lecturing at The University of Cambridge Computer Security Lab on April 28, 2009 with regard to security vulnerabilities and legal issues involving both high security mechanical locks and electronic access control systems. This will be a follow-up to my lecture in Dubai earlier in the month.

Information on the Medeco NexGen, Logic, Assa Abloy Cliq and other access control technologies will be presented in detail in the supplement to OPEN IN THIRTY SECONDS.

I will be speaking again this year at the Hack in the Box security conference in Dubai, UAE, on April 22, 2009. For the past two years I have participated in this gathering of almost 1000 security experts from Europe and the Middle East who meet to give presentations about wide-ranging cyber and physical security threats. The conference is always well-attended by a diverse group of participants and is again being held at the Sheraton-Creek in Dubai.

The presentation will include a detailed review regarding the protection of high security facilities, including airports and aircraft, power transmission facilities, and computer server rooms. The emphasis will be on liability and security issues that may result from an undue reliance on certain high security locking systems and technology. I will discuss a number of misconceptions and why these facilities may be at risk, even with some of the most sophisticated physical access hardware and software.

Specific problems inherent in conventional locking hardware will be the primary focus, together with an analysis of high security mechanical locks and electronic access control systems produced by many of the Assa Abloy companies. These technologies include, among others, the CliqÂ®, LogicÂ®, and NexGenÂ®. The security representations of certain manufacturers will be analyzed, and potential vulnerabilities in these high-tech systems will be explored, together with the liability that may flow to users if these systems are circumvented.

Since the publication of OPEN IN THIRTY SECONDS, which details the compromise of Medeco high security locks (2008), intensive research has been on-going in the U.S. and Europe regarding the security of different electronic access control systems. The results will be included in the new supplement to our book. These potential security issues will be examined in Dubai and will be explored in depth in the upcoming supplement, and later this year in future presentations.

Material that is being included in the new supplement will include:

Critical security vulnerabilities and inherent design flaws of Electronic Access control systems that are produced by High Security lock manufacturers;

Medeco cam locks and their lack of key control for critical infrastructure protection;
Medeco X4, the second generation of the Keymark product, and its virtual absence of any real key security.

We will also consider potential legal liabilities in connection with the failure of electronic access control systems to perform as represented by the manufacturer, especially with regard to the failure of audit functions in the event of bypass and the ramifications to the protection of critical information. The legal consequences to employers and employees that could result from false audit trail data will also be explored. In this connection, we analyze certain White Papers issued by Medeco in 2008 with regard to Logic, and why we believe this technology (and other systems) may not meet minimum physical security requirements for the protection of critical facilities and infrastructure. We examine potential non-compliance issues with regard to state and federal regulatory standards such as contained in Mass.201 CMR-17.00, Sarbanes-Oxley, Transportation Security Act, HIPAA, and the Federal Energy Regulatory Act.

If you are a dealer or end-user and have implemented electronic access control systems and have experienced technical or security issues with your deployed hardware or software, we would encourage you to contact our office to exchange information in order that the supplement is as current and complete as possible, and to provide input for the upgrade or redesign of certain systems.

We have notified Medeco of preliminary research results and have repeatedly requested the most current lock samples to confirm certain findings. Medeco has refused to provide any locks in order to allow us to conduct any tests involving Logic or Nexgen. The company has stated that it only allows testing laboratories or internal and other experts to evaluate their products, and that any information about their locks in conjunction with such tests would be considered confidential, proprietary, and protected intellectual property. We have therefore contacted certain dealers and implementers of Logic, Cliq, and Nexgen to conduct real-world trials at different venues.

Translation: Medeco is afraid to have anyone test their locks unless they are one of â€œtheirâ€ experts and that any such testing must be covered by a non-disclosure agreement. For the record, we never asked for any information; just the locks (and we offered to pay for them).

If we had relied on any data from Medeco with regard to the ability to bump or pick their Biaxial or m3, or to develop the technique of code setting keys to open them, we never would have succeeded in doing so, and would continue to believe their locks were still secure as claimed by the manufacturer and others.

OUR QUESTION: if locks that are sold by a manufacturer and represented by them as secure, why would they be afraid for anyone to analyze them independently and attempt to circumvent their security? Isnâ€™t that the point of locksâ€¦to stay locked until the right key or code, or credential is presented? Arenâ€™t locking systems designed specifically to stop people from attempting to open them if they do not have the correct credentials? And isnâ€™t Medeco the undisputed leader in the high security market in North America. So why would they be so wary as to not allow us to test and report on the security of their electronic lock designs? We offered to share some of our research with the company, once we were satisfied with the reliability and repeatability of our findings and conclusions.

WHAT WE ASKED IN RETURN: That they would recall all locks that displayed design defects or deficiencies which could result in security vulnerabilities for their customers. In return we would agree to withhold any publication for at least three months, so long as the company would replace all products at no charge to the consumer.

The response we received from Medeco to this offer? No substantive response at all. We have been told that we have a duty to advise Medeco of any “alleged vulnerabilities.” They reiterated in two recent letters that “they have always been willing to listen.” Yes, that is true, but never willing to share any information, nor confirm any vulnerabilities. It is a one-way street.

After analyzing their latest communications, we remembered their corporate position on locks they have sold and later found to be susceptible to be bypassed: they stated in 2007 that purchasing Medeco locks is not like buying a subscription. If a vulnerability is discovered after purchase, just buy new locks!

Good for Medeco, but not very good for their customer who may have invested in flawed technology.

We guess that one possible answer to their lack of any real response to our request for locks would be that they read our book, or perhaps they are concerned that young JennaLynn might be recruited once again to open their Logic or Nexgen.

On October 28, 2008, I will be the Keynote speaker at the Forensic-Security conference at NIST headquarters in Gaithersburg, Maryland. The National Institute of Standards and Technology is the site of this three-day conference for law enforcement, security and IT professionals. I will be discussing high security locks and the Medeco case example and the lessons to be learned for security managers and those responsible for critical infrastructure protection. There will be more than 1100 registered attendees.

July 18, 2008Tobias Bluzmanis, Matt Fiddler, and I will be presenting at HOPE in New York on Friday, July 18, 2008. Then we will be doing a special briefing on Medeco locks and our new book. We will answer questions with regard to security issues involving Medeco Biaxial, m3, and Bilevel cylinders. We hope that many can join us during the three-day conference.

August 8, 2008We will be giving a presentation at DEFCON 16 in Las Vegas, on August 8. During that conference, we will go into significant detail about new and serious vulnerabilities that we discovered with regard to Medeco and other locks.

October 5-6, 2008

We will be visiting the Trezor Test Labs in Prague, Czech Republic, to discuss current bypass techniques.

October 7-8, 2008Tobias Bluzmanis and I will be signing books at the Wendt exhibit at the Essen Security Exhibition in Germany.

October 9-10-11, 2008

Tobias Bluzmanis and myself will be at Sneek, Netherlands, at the Toool meeting. We are doing a detailed presentation and hands-on demonstration to teach bumping, picking, and compromise of key control for Medeco locks.

Ross Anderson, world renowned security expert and director of the Cambridge University Computer Security Laboratory, has written one of the forewords for our new book. Ross is the author of Security Engineering, Second Edition, which is a primary reference for software designers and engineers. The new edition of his book has recently been released by John Wiley & Sons publishers. This 1000 page book is the definitive work on the engineering of software systems and their vulnerabilities.

Ross discusses physical security and its relation to software systems, and how the two technologies can intersect to create additional security challenges or opportunities. His foreword should be a wake-up call for security professionals and especially locksmiths, that the integration of mechanical locks and software-based systems is inevitable, and that the physical security industry will face the same challenges with regard to security and disclosure of vulnerabilities as did the software industry.

Most the world’s serious assets, from computer rooms to art collections, are defended by pin tumbler locks, and Medeco has ruled this world supreme for a generation. So the Tobias attacks on the most modern Medeco offerings, which they describe in this book, came as a serious shock for security engineers.

It is a great honour to be asked to write this foreword, as the book is sure to be a milestone in the field. What is less clear is the future direction of travel for the industry.

As my own background lies more in cryptographic and systems security, there is some temptation to think that the attacks might signal a technology change — especially as they follow on widely-publicized and improved lock-bumping techniques that cast serious doubts on the low-cost end of the market. Has the metal lock now had its day? Will the future lie with cryptographic tokens and remote key-entry devices?

That is also far from clear. Electronic systems have vulnerabilities too, and although the first break can be harder to find, the eventual failure can be much more catastrophic. For example, the recent reverse-engineering of MIFARE has exposed millions of applications to low-cost forgery, starting with the Dutch public transit card but including many building access control systems.

I suspect that in the medium term, we will see a merger of the worlds of electronic locks and mechanical locks. I do not just mean that high-end products will combine both technologies – although this is already starting to happen. The important change, I believe, is that we will need to start thinking more in terms of systems.

First, the evaluation of mechanical locks has depended for many years on the reputation of the manufacturer plus some (often rather cursory) inspection by insurance bodies, as described in chapter 2. In the electronic domain, evaluation is much more open and combative: security researchers vie to find vulnerabilities in products, and a constant stream of vulnerability reports drives product upgrades and innovation. Locksmiths will have to get used to a much more open and fast-moving environment, in which vulnerabilities are reported publicly (as Medeco’s are in this book). Finding (or anticipating) vulnerabilities in complex systems is a collaborative effort of many people over time, and openness is vital.

Second, locks get much of their value from the role that they play in larger systems, rather than simply as components. The need to manage all the locks in a building has led to master keying, but (as this book hammers home) that brings with it complexity and other opportunities for error. Facility designers in the future may want some locks that can be integrated seamlessly into electronic control and surveillance systems; and if they are prudent they will want some other locks that are independent, to mitigate the risks of systemic and common-mode failures. Vendors may have to think more carefully about complexity and interaction, both of features and of failure modes, and not just within a single lock but in all their fielded products. Again, openness will be critical; security engineers need to know the vulnerabilities of the products they use as well as their strengths, so they can avoid untoward interactions.

Returning now to the Medeco locks that are the main subject of this book, I cannot help wondering whether their very complexity may have been their undoing. Electronic security professionals know that complexity is the enemy of security, and the marketersâ€™ natural tendency to add features must be vigorously resisted by the security architect.

Features interact, and past a certain level of complexity it is just not possible for designers to anticipate them all. This may be new to lock designers, but it’s old hat to people who work with computers. The exchange of such `lore’ between different security communities is at least as important as the exchange of formal engineering data.

In short, now that the electronic and mechanical security communities are converging, our task is to combine the best of both — not just at the component level, but the best design and evaluation thinking at the level of systems. This is going to be a fascinating challenge.

I hope that many of you had a chance to listen to Emmanuel Goldstein’s radio program, Off The Hook, on WBAI in New York last Wednesday, May 23, 2008. We had a good discussion of security and high security locks, especially relating to Medeco cylinders.

I have received quite a few emails with regard to our new book on Medeco. We anticipate releasing the extremely detailed multimedia edition on June 15, 2008. The Government and Locksmith editions are entitled “The Compromise of Medeco High Security Locks: New techniques of forced, covert, and surreptitious entry.”

The softbound edition is scheduled for limited release in New York during the second week of July, with full release the first week in August. The printed edition is entitled, “OPEN IN THIRTY SECONDS: Cracking one of Americas most secure locks.”

Marc Tobias and Tobias Bluzmanis have been invited by Barry Wels to give a detailed presentation at the annual Toool conference in Sneek between October 9-11, with regard to how they developed bypass techniques to compromise one of the most secure locks in America, produced by Medeco, of Salem, Virginia.

Marc and Toby will be training security professionals as to methods of picking, bumping, forced entry, and the complete compromise of key control for the m3 and certain Biaxial cylinders. Overflow attendance is expected at the conference this year because it immediately follows the security show in Essen, Germany.

Marc Tobias and Matt Fiddler will again be lecturing at the annaul Defcon 16 security conference in Las Vegas between August 8-10. Last year, more then 8,000 people attended the three day event.

Marc and Matt will lecture on the development of bypass techniques for Medeco high security locks and explore this classic case of multiple failures that allowed perhaps the most secure lock in America to be compromised by forced and covert methods of entry. The new book by Marc Tobias and Tobias Bluzmanis on how the Medeco locks were cracked will be released at the conference.

A demonstratiion of new and extremely serious vulnerabilities will be presented with regard to Medeco cylinders in an effort to alert security officers of the potential threat that currently exists for certain Medeco locks. Last year, JennaLynn, 12 years old, bumped open a Medeco Biaxial cylinder in about a minute. This year, she is expected to again demonstrate certain bypass techniques that surely will be of interest to consumers as well as security specialists.

Marc Tobias will be conducting a workshop at the annual Techno-Security conference in Myrtle Beach, SC, on June 2, 2008, put on by The Training Company..

Approximately 1400 law enforcement personnel are expected to attend the four day conference, which is recognized as one of the most successful gatherings of its kind. Marc will lecture on the vulnerabilities of high security locks; vital information for covert entry experts.

Marc Tobias will be interviewed by Emmanuel Goldstein, Founder of 2600 Magazine and the HOPE Conference in New York. This one hour radio program will be aired on Wednesday, May 21, 2008 at 7:00 P.M. in New York on WBAI-FM.

Marc will discuss various issues that relate to high security locks and the standards by which they are certified, as well as a broad range of other vulnerabilities. He will also discuss his soon to be released book about how the security of Medeco locks has been compromised.

Marc Tobias met with Peter Koktan, the Director of the Trezor Test laboratory in Prague on April 19 and 20 to discuss methods of certifying high security locks and test procedures. Trezor Test is the only certified lab in the country for determining the security ratings and compliance of locks and related hardware with European standards. Marc also met with Paul Gec at the lab, and other security experts to exchange information with regard to bypass techniques. Marc will re-visit the lab in October, 2008.